2-2 Securing WebLogic Web Services for Oracle WebLogic Server
■
Section 2.24, Securing Web Services Atomic Transactions
■
Section 2.25, Proprietary Web Services Security Policy Files JAX-RPC Only
2.1 Overview of Message-Level Security
Message-level security specifies whether the SOAP messages between a client application and the Web service invoked by the client should be digitally signed or
encrypted, or both. It also can specify a shared security context between the Web service and client in the event that they exchange multiple SOAP messages. You can
use message-level security to assure:
■
Confidentiality, by encrypting message parts
■
Integrity, by digital signatures
■
Authentication, by requiring username, X.509, or SAML tokens See
Section 2.4, Configuring Simple Message-Level Security for the basic steps you
must perform to configure simple message-level security. This section discusses configuration of the Web services runtime environment, as well as configuration of
message-level security for a particular Web service and how to code a client application to invoke the service.
You can also configure message-level security for a Web service at runtime, after a Web service has been deployed. See
Section 2.10, Associating Policy Files at Runtime Using the Administration Console
for details.
2.1.1 Web Services Security Supported Standards
WebLogic Web services implement the following OASIS Standard 1.1 Web Services Security WS-Security 1.1
http:www.oasis-open.orgcommitteestc_ home.php?wg_abbrev=wss
specifications, dated February 1, 2006:
■
WS-Security 1.0 and 1.1
■
Username Token Profile 1.0 and 1.1
■
X.509 Token Profile 1.0 and 1.1
■
SAML Token Profile 1.0 and 1.1 These specifications provide security token propagation, message integrity, and
message confidentiality. These mechanisms can be used independently such as passing a username token for user authentication or together such as digitally
signing and encrypting a SOAP message and specifying that a user must use X.509 certificates for authentication.
2.1.1.1 Web Services Trust and Secure Conversation
WebLogic Web services implement the Web Services Trust WS-Trust 1.3 and Web Services Secure Conversation WS-SecureConversation 1.3 specifications, which
Note: You cannot digitally sign or encrypt a SOAP attachment.
Note:
Standards Supported by WebLogic Web Services is the definitive source of Web service standards supported in this release.
Configuring Message-Level Security 2-3
together provide secure communication between Web services and their clients either other Web services or standalone Java client applications.
The WS-Trust specification defines extensions that provide a framework for requesting and issuing security tokens, and to broker trust relationships.
The WS-SecureConversation specification defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable the
exchange of multiple messages. Together, the security context and derived keys potentially increase the overall performance and security of the subsequent exchanges.
2.1.1.2 Web Services SecurityPolicy 1.2
The WS-Policy specification defines a framework for allowing Web services to express their constraints and requirements. Such constraints and requirements are expressed
as policy assertions.
WS-SecurityPolicy defines a set of security policy assertions for use with the WS-Policy framework to describe how messages are to be secured in the context of
WSS: SOAP Message Security, WS-Trust and WS-SecureConversation.
You configure message-level security for a Web service by attaching one or more policy files that contain security policy statements, as specified by the
WS-SecurityPolicy specification. See Section 2.3, Using Policy Files for Message-Level
Security Configuration for detailed information about how the Web services runtime
environment uses security policy files. For information about the elements of the Web Services SecurityPolicy 1.2 that are not
supported in this release of WebLogic Server, see Section 2.18, Unsupported
WS-SecurityPolicy 1.2 Assertions .
2.2 Main Use Cases of Message-Level Security